{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1052 - Exfiltration Over Physical Medium",
    "\n",
    "Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests:\nCurrently, no tests are available for this technique."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor file access on removable media. Detect processes that execute when removable media are mounted."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Peripheral Management \n Manage peripheral devices used on systems within the network for active defense purposes. \n\n Peripheral Management is the administration of peripheral devices used on systems within the network for defensive or deceptive purposes. A defender can choose to allow or deny certain types of peripherals from being used on systems. Defenders can also introduce certain peripherals to an adversary-controlled system to see how the adversary reacts.\n#### Opportunity\nThere is an opportunity to determine adversary capabilities or preferences by controlling aspects of the engagement environment.\n#### Use Case\nA defender could use decoy peripherals, such as external Wi-Fi adapters, USB devices, etc. to determine if adversaries attempt to use them for exfiltration purposes.\n#### Procedures\nIntroduce external devices (e.g. a USB drive) to a machine in an adversary engagement scenario to see how quickly an adversary gains awareness to its presence and if they attempt to leverage the device.\nConfigure controls (such as AutoRun) which would require an adversary to take additional steps when leveraging a peripheral device to execute their tools."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}